Using Patcher Promotion Workflows
info
As of this writing in July 2024 Gruntwork only officially supports Patcher Promotion Workflows using GitHub Actions. Other CI systems will come in future releases.
info
Related Content:
Prerequisites
Infrastructure As Code
In order to leverage Patcher Promotion Workflows your codebase must be using infrastructure specified as code using Terraform, OpenTofu and/or Terragrunt.
Environments as Folder Structures
In order to support multiple environments (such as dev, stage and prod) your code must represent those environments with a consistent folder structure that can be grouped via glob pattern matching, e.g.:
ls
dev-account1 dev-account2 prod-account1 prod-account2 stage-account1 stage-account2
Then you would define your dev environments as dev-*, stage as stage-* and prod as prod-* and so fourth.
Implementation & Setup Example
The Patcher Promotion Workflow process consists of a series of GitHub Actions workflow files. Each environment is modeled as an individual workflow. The process begins with the lowest stage (usually something like dev) which scans the entire dev environment for all dependencies which may require updates. It will then generate one pull request per dependency that updates that dependency exclusively in the dev environment. As each of those pull requests is approved and merged, they then general new pull requests for the subsequent stage (triggered via repository dispatch events). This process continues until the last stage at which point no further PRs are opened and all stages have been updated.
The easiest way to get started is likely by copying and tweaking the example files below. For the purposes of this example we'll set up a promotion workflow that promotes through dev, stage and finally prod, though of course feel free to tweak these to match the environment patterns you use.
Setting up the initial dev promotion step
The initial GitHub Actions Workflow file, which for this example lets call update-dev.yml, contains several key points:
- We set up the job to run on a schedule, to be a pull request target, a workflow dispatch and a repository dispatch.
- The schedule is of course optional but recommended
- The workflow dispatch is a recommended testing mechanism
- The pull request target is required to trigger certain jobs
- The
trigger-next-envJob- This job is run only on pull request merge, and it sends a dispatch to the next stage. Specifically it fires an event called
dev_updates_mergedwhich the next job will listen for. - This job also includes metadata, specifically a
dependency(which is derived from the git branch name), to indicate to the subsequent job which dependency to run for.
- This job is run only on pull request merge, and it sends a dispatch to the next stage. Specifically it fires an event called
- The
patcher-reportJob- This job runs patcher report to generate a list of updates for a specific environment (defined based on the
include_dirsargument) - Note this job uses a secret,
PIPELINES_READ_TOKEN, which needs to have access to your Gruntwork account to access the Patcher binary. See more on machine user tokens here.
- This job runs patcher report to generate a list of updates for a specific environment (defined based on the
- The
update-envJob- This job takes the spec output from the report, puts it into a file, then calls patcher update.
- Patcher update reads the spec file, checks out the code, makes a commit and then pushes a pull request
- Note it is critically important for the correct functioning of the pull request workflow that the
pull_request_branchbe defined as$PREFIX$DEPENDENCYID. We strip out the prefix to identify the dependency ID in thetrigger-next-envJob.
name: Update Dev Dependencies
on:
workflow_dispatch:
repository_dispatch:
types: [new_module_release]
schedule:
# 04:15 UTC on Mondays
- cron: "15 4 * * 1"
pull_request_target:
types:
- closed
branches:
- main
permissions:
contents: write
env:
ENV_FOLDER_NAME: dev
PR_BRANCH_PREFIX: patcherv2-dev-updates-
jobs:
trigger-next-env:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'updates-dev')
runs-on: ubuntu-latest
steps:
- shell: bash
id: dependency
env:
PR_BRANCH_PREFIX: ${{ env.PR_BRANCH_PREFIX }}
BRANCH: ${{ github.head_ref }}
run: |
dep=${BRANCH#"$PR_BRANCH_PREFIX"}
echo "dependency=$dep" >> "$GITHUB_OUTPUT"
- uses: peter-evans/repository-dispatch@v2
with:
token: ${{ github.token }}
repository: ${{ github.repository }}
event-type: dev_updates_merged
client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "branch": "${{ github.head_ref }}", "dependency": "${{ steps.dependency.outputs.dependency }}"}'
patcher-report:
if: github.event_name == 'repository_dispatch' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
outputs:
spec: ${{ steps.get-spec.outputs.spec }}
steps:
- uses: actions/checkout@v3
- uses: gruntwork-io/patcher-action@v2
id: get-spec
with:
patcher_command: report
github_token: ${{ secrets.PIPELINES_READ_TOKEN }}
include_dirs: "{*dev*}/**"
working_dir: ./
spec_file: patcher-spec.json
update-env:
needs: [patcher-report]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
dependency: ${{ fromJson(needs.patcher-report.outputs.spec).Dependencies }}
steps:
- uses: actions/checkout@v3
- name: Create the spec file
shell: bash
run: |
echo '${{ needs.patcher-report.outputs.spec }}' > patcher-spec.json
- uses: gruntwork-io/patcher-action@main
with:
patcher_command: update
github_token: ${{ secrets.PIPELINES_READ_TOKEN }}
working_dir: ${{ env.ENV_FOLDER_NAME }}
dependency: ${{ matrix.dependency.ID }}
spec_file: patcher-spec.json
pull_request_title: "[Patcher] [dev] Update ${{ matrix.dependency.ID }}"
pull_request_branch: "${{ env.PR_BRANCH_PREFIX }}${{ matrix.dependency.ID }}"
Setting up the stage step
This workflow file, update-stage.yml is nearly identical to update-dev.yml.
The main differences are
- The
repository_dispatchevent type is nowdev_updates_merged - The
include_dirsnow targets thestageenvironment instead ofdev - The
PR_BRANCH_PREFIXandpull_request_titlereference thestageenv instead ofdev
name: Update Stage Dependencies
on:
workflow_dispatch:
repository_dispatch:
types: [dev_updates_merged]
pull_request_target:
types:
- closed
branches:
- main
permissions:
contents: write
env:
PR_BRANCH_PREFIX: patcher-stage-updates-
jobs:
trigger-next-env:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'updates-stage')
runs-on: ubuntu-latest
steps:
- shell: bash
id: dependency
env:
PR_BRANCH_PREFIX: ${{ env.PR_BRANCH_PREFIX }}
BRANCH: ${{ github.head_ref }}
run: |
dep=${BRANCH#"$PR_BRANCH_PREFIX"}
echo "dependency=$dep" >> "$GITHUB_OUTPUT"
- uses: peter-evans/repository-dispatch@main
with:
token: ${{ github.token }}
repository: ${{ github.repository }}
event-type: stage_updates_merged
client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "branch": "${{ github.head_ref }}", "dependency": "${{ steps.dependency.outputs.dependency }}"}'
patcher-report:
if: github.event_name == 'repository_dispatch' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
outputs:
spec: ${{ steps.run-report.outputs.spec }}
steps:
- uses: actions/checkout@v4
- uses: gruntwork-io/patcher-action@main
id: run-report
with:
github_token: ${{ secrets.PIPELINES_READ_TOKEN }}
patcher_command: report
working_dir: ./
spec_file: patcher-spec.json
include_dirs: "{*stage*}/**"
update-env:
needs: [patcher-report]
runs-on: ubuntu-latest
strategy:
fail-fast: false
max-parallel: 2
matrix:
dependency: ${{ github.event.client_payload.dependency && fromJson(format('[{{"ID"{0} "{1}"}}]', ':', github.event.client_payload.dependency)) || fromJson(needs.patcher-report.outputs.spec).Dependencies }}
steps:
- uses: actions/checkout@v3
- name: Create the spec file
shell: bash
run: |
echo '${{ needs.patcher-report.outputs.spec }}' > patcher-spec.json
- uses: gruntwork-io/patcher-action@main
with:
github_token: ${{ secrets.PIPELINES_READ_TOKEN }}
dependency: ${{ matrix.dependency.ID }}
patcher_command: update
spec_file: patcher-spec.json
pull_request_title: "[Patcher] [stage] Update ${{ matrix.dependency.ID }}"
pull_request_branch: "${{ env.PR_BRANCH_PREFIX }}${{ matrix.dependency.ID }}"
Setting up the prod stage
This workflow file, update-prod.yml is nearly identical to update-stage.yml.
The main differences are
- The
repository_dispatchevent type is nowstage_updates_merged - The
include_dirsnow targets theprodenvironment instead ofstage - The
PR_BRANCH_PREFIXandpull_request_titlereference theprodenv instead ofstage - Since this is the last environment in the chain, we no longer need a
trigger-next-envjob.
name: Update Prod Dependencies
on:
workflow_dispatch:
repository_dispatch:
types: [stage_updates_merged]
permissions:
contents: write
env:
PR_BRANCH_PREFIX: patcher-prod-updates-
jobs:
patcher-report:
if: github.event_name == 'repository_dispatch' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
outputs:
spec: ${{ steps.run-report.outputs.spec }}
steps:
- uses: actions/checkout@v4
- uses: gruntwork-io/patcher-action@main
id: run-report
with:
github_token: ${{ secrets.PIPELINES_READ_TOKEN }}
patcher_command: report
working_dir: ./
dependency: ${{ github.event.client_payload.dependency }}
spec_file: patcher-spec.json
include_dirs: "{*prod*}/**"
update-env:
needs: [patcher-report]
runs-on: ubuntu-latest
strategy:
fail-fast: false
max-parallel: 2
matrix:
dependency: ${{ github.event.client_payload.dependency && fromJson(format('[{{"ID"{0} "{1}"}}]', ':', github.event.client_payload.dependency)) || fromJson(needs.patcher-report.outputs.spec).Dependencies }}
steps:
- uses: actions/checkout@v3
- name: Create the spec file
shell: bash
run: |
echo '${{ needs.patcher-report.outputs.spec }}' > patcher-spec.json
- uses: gruntwork-io/patcher-action@main
with:
github_token: ${{ secrets.PIPELINES_READ_TOKEN }}
dependency: ${{ matrix.dependency.ID }}
patcher_command: update
spec_file: patcher-spec.json
pull_request_title: "[Patcher] [prod] Update ${{ matrix.dependency.ID }}"
pull_request_branch: "${{ env.PR_BRANCH_PREFIX }}${{ matrix.dependency.ID }}"